Re: [m0n0wall] tracking down ip

From:	Melvin <melvin at sleepydragon dot net>
To:	sai <sonicsai at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] tracking down ip
Date:	Thu, 26 Jan 2006 08:47:54 -0500

sai wrote:
> I have
> 10:16:00.273735 rl0 @0:10 b 169.254.15.77,138 -> 169.254.255.255,138
> PR udp len 20 236 IN
>
> showing up on the logs.
>
> Now rl0 is my LAN and the ip addresses are 192.168.10.1/24 so this
> shouldn't be coming from the LAN.
> There is nothing with 169..x.x.x in the arp tables. Is this packet
> from the LAN or what? If it is on my LAN then how do I track down
> which computer is doing this using m0n0?
>
> sai
>   
I think you'll find that's the automatic IP range generated on Windows 
boxes when they don't find a DHCP server, etc.  Whatever machine is 
doing it probably isn't talking to anything on the network although it 
is certainly trying.  That's why it is sending data to the broadcast 
address for it's subnet.  If you set a secondary IP address in this 
range on another machine, you should be able to talk to that box and 
likely determine enough info to track it down.

Melvin